On Fri, Feb 10, 2006 at 08:58:05AM +0100, Oliver Welter wrote:
> Hi Folks,
>
> I encounter several problems regarding routing with a vServer host that
> has mutliple networks.
>
> I have a host which occupies three networks, my guest has IPs only in
> two of them resulting in the problem, that guest is unable to ping the
> third network under certain circumstances.
>
> When I try to ping the third network, the packets are emitted with
> source address from the first activated network (so, the lowest number
> in the interface directory) - in my case this is an internal maintenance
> LAN and I get packets that are unroutable.
> The packets are routed to teh target but are discarded there because
> they come in via the external NIC (third network) but have a source
> adderss that belongs to the internal NIC.
>
> I hope anybody understands this description - but I cant describe it
> better...
>
> The workaround for now is, to setup the IP belonging to the default
> route of the host as first in the vServer. It also works when I
> discard all network-routes from the hosts routing table and adress
> this by source based routing policies.
>
> But I assume that it would be best, when the implementation of vServer
> network-management hides all routes that are not accessible by the
> guest.
'hiding' those routes (as in proc or for ip route) is not
a real problem, but that will not help you in any way, the
routing decisions are solely based on the view the host
has of the network, as the network stack is not virtualized
but shared. you can not simply 'hide' routes from routing
cache and fib database ...
if you want a shizophrenic host which can handle separate
networks, you simply have to configure that properly, in
your case that means to create two tables which contain
the separate network entries and only put the 'shared' net
in the main table, then have appropriate rules decide which
table to choose from, based on the source ip
this is nothing Linux-VServer specific, it is the way how
linux networking works and it will not change without some
kind of network stack virtualization, which will be done
in the upcoming ngnet ...
best,
Herbert
> Oliver
>
> --
> Diese Nachricht wurde digital unterschrieben
> oliwel's public key: http://www.oliwel.de/oliwel.crt
> Basiszertifikat: http://www.ldv.ei.tum.de/page72
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Fri Feb 10 08:51:03 2006